rgw: utilize is_impersonating for forwarded sts requests
With the introduction of is_impersonating in SysReqApplier,
RoleApplier can now use the same mechanism to mark when a request
has been forwarded by a system user on behalf of another role (e.g.,
through STS) to mark it as a system request (s->system_request).
In rgw_sync_pipe_params, the mode can be either system or user.
When in system mode, no user is involved, but the current
implementation holds an empty rgw_user, which can cause confusion
in pipe_rules::find_basic_info_without_tags().
With this change, rgw_user is now optional, ensuring that when no
user is involved, it is explicitly nullopt rather than an empty object.
Seena Fallah [Fri, 28 Mar 2025 20:55:20 +0000 (21:55 +0100)]
rgw: remote copy obj pass rgwx-perm-check-uid for perm evaluation
When copying object from remote source (bucket from another zonegroup)
the perms of the source is not evaluated resulting in reading from
unauthorized buckets.
passing `rgwx-perm-check-uid` will let the source zone evaluates the
perm and close this bug.
Seena Fallah [Fri, 28 Mar 2025 20:52:47 +0000 (21:52 +0100)]
rgw: RGWRadosPutObj evals source bucket perm for backward compatibility
As of a3f40b4 we no longer evaluate perms locally for source bucket,
this could cause broken permission evaluation dusring upgrade as one
zone is not respecting the perm evaluation based on the `rgwx-perm-check-uid`
arg.
Seena Fallah [Fri, 28 Mar 2025 20:48:34 +0000 (21:48 +0100)]
rgw: give hint via header for perm evaluation in GetObj
Return `Rgwx-Perm-Checked` header as a hint for the destination zone
to know whether the perms where considered or not.
This is just a backward compatibility for upgrade and can be dropped
in T+2 release.
Seena Fallah [Thu, 27 Feb 2025 10:53:44 +0000 (11:53 +0100)]
rgw: take account GetObject(Version)Tagging when replicating
In case the uid has no permission to read tagging, the tags should
not be replicated.
Ref. https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html
Seena Fallah [Mon, 24 Feb 2025 22:41:13 +0000 (23:41 +0100)]
rgw: check source object replication by replication actions
Check for permissions of `s3:GetObjectVersionForReplication` in
addition to `s3:GetObject` and `s3:GetObjectVersion` when fetching
the object for multisite.
Seena Fallah [Mon, 24 Feb 2025 22:33:45 +0000 (23:33 +0100)]
rgw: only allow system override if identity is not impersonating
Since multisite now delegates permission checks for source objects
to the source zone (a3f40b4), we need to avoid allowing system-level
overrides when the request is impersonating another identity.
SysReqApplier should only grant override permission if the request
is truly system-authenticated and not acting on behalf of another
user or role (i.e., no rgwx-perm-check-uid or rgwx-perm-check-role
in the request).
rgw: SysReqApplier overrides is_admin_of based on impersonation
SysReqApplier now returns true for is_admin_of() when the requester
was a system user and was not impersonating any user/role using
rgwx-perm-check-uid or rgwx-perm-check-role.
Patrick Donnelly [Mon, 28 Apr 2025 13:58:02 +0000 (09:58 -0400)]
Merge PR #61796 into main
* refs/pull/61796/head:
rgw/sts: Use client_id for assumerolewithwebidentityresponse
rgw/sts: adding validation of jwks_uri cert according
rgw/sts: fix to pick jwk which is of type
rgw/sts: adding code for JWT signature validation
Ville Ojamo [Mon, 28 Apr 2025 10:02:32 +0000 (17:02 +0700)]
doc/radosgw: Promptify commands and improve formatting in keystone.rst
Use blocks with bash privileged command prompt for CLI
command examples. Separate example command output to a
preformatted block. Previously a hard-coded prompt in
some place inconsistently while no prompts in others.
Janne Heß [Mon, 28 Apr 2025 09:04:25 +0000 (11:04 +0200)]
ceph-volume: Fix splitting with too many parts
The data can be anything and also contain a `=`, causing the line to
fail with `Too many values to unpack`. In my case, it failed with
`ID_FS_LABEL=pvc_name=rook-ceph-lvm-data-44f2gc`.
Regression was introduced here: https://github.com/ceph/ceph/pull/60006
Fixes: https://tracker.ceph.com/issues/71101 Signed-off-by: Janne Heß <janne@hess.ooo>
Replace `boost::variant` with `std::variant` as part of our effort to reduce
third-party dependencies in favor of C++ standard library alternatives.
Benefits include:
- Improved code readability and maintainability
- Reduced external dependency surface
- More consistent API usage with other components
rgw/qa: added test case to assume a role after role creation
syncs, and then creating a bucket on both primary and secondary.
The test name is test_assume_role_after_sync.
rgw/sts: by-passing authentication using temp creds
in case the request is forwarded from secondary in
a multi-site setup. authenticating with the system
user creds of which are used to sign the request.
Permissions are still derived from the role.
rgw/sts: adding validation of jwks_uri cert according
to https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
for n&e which can be later used for all key types
(x5c, n&e).
Ville Ojamo [Sat, 26 Apr 2025 03:54:12 +0000 (10:54 +0700)]
doc/radosgw: Improve formatting in STS.rst
Some text uses hardcoded ordered list numbers and as a result
have duplicate list numbers. Move to use RST ordered lists and
indent the contents of each list item correctly. Fix referenced
list item number in text that pointed to a wrong list item.
Format references to parameter names, user IDs, file names etc
as inline code.
Add prompts to example commands.
Change instances of "rgw" or "Radosgw" in text to "RGW".
Signed-off-by: Ville Ojamo <14869000+bluikko@users.noreply.github.com>
Ville Ojamo [Sat, 26 Apr 2025 04:17:16 +0000 (11:17 +0700)]
doc/radosgw: Fix RST syntax rendeded as text in oidc.rst
Empty line after starting a pre-formatted block with the double-colon
syntax is required, otherwise the double-colon does nothing and is just
rendered as-is as "::" and there would be no following pre-formatted
block.
Add empty lines after the double-colon syntax so that the following
block is rendered pre-formatted.
Also add bash privileged prompts to a block with 2 example CLI commands.
Signed-off-by: Ville Ojamo <14869000+bluikko@users.noreply.github.com>
Ville Ojamo [Sat, 26 Apr 2025 03:30:57 +0000 (10:30 +0700)]
doc/radosgw: Fix length of section header underlines in oidc.rst
Set the length of the RST syntax underlining for section headers to be
as long as the section header text.
Also it seems common to indent the document title with one space at both
the beginning and the end so do that.
Signed-off-by: Ville Ojamo <14869000+bluikko@users.noreply.github.com>
Patrick Donnelly [Fri, 25 Apr 2025 19:00:39 +0000 (15:00 -0400)]
Merge PR #62833 into main
* refs/pull/62833/head:
qa: test charmap changes with dir and snaps
mds: check for snapshots on parent snaprealms
mds: use strict_strtobool for parsing bools
common: take string_view for strict_tobool
this change is created in the same spirit of bb1fa818.
when building the tree with clang-21, following warning was raised:
```
/home/kefu/dev/ceph/src/libcephfs_proxy/proxy_async.c:43:9: warning: arithmetic on a pointer to void is a GNU extension [-Wgnu-pointer-arith]
43 | data += iov->iov_len;
| ~~~~ ^
1 warning generated.
```
this change should address this warning by casting a `void*` pointer to
`char*` pointer before performing arithmetic operation on it.
Ville Ojamo [Fri, 25 Apr 2025 09:00:20 +0000 (16:00 +0700)]
doc/radosgw: Fix section header level in config-ref.rst
The section named "QoS Settings" looks like it should not be a child of
the section "SSE-S3 Settings". Move it to be a sibling to it, on the
same level instead.
Signed-off-by: Ville Ojamo <14869000+bluikko@users.noreply.github.com>
Ville Ojamo [Fri, 25 Apr 2025 07:16:52 +0000 (14:16 +0700)]
doc/radosgw: Fix section header levels in multisite-sync-policy.rst
The section header levels are reversed so the hierarchy in the TOC is
incorrect. Switch around the section header levels to make the TOC
hierarchy correct, for example individual examples are children of the
"Examples" section.
Signed-off-by: Ville Ojamo <14869000+bluikko@users.noreply.github.com>
projects / ceph.git / log